Linux Foundation Certified Kubernetes Application Developer - CKAD Exam Practice Test
You have a Deployment named 'web-app' running a containerized application with a complex startup sequence. The application relies on a database service that might be Slow to respond on startup. How would you implement Liveness and Readiness probes to ensure the application iS healthy and available to users, even during startup?
Correct Answer:
See the solution below with Step by Step Explanation.
Explanation:
Solution (Step by Step) :
1. Define Liveness Probe:
- Create a 'livenessProbe' within the 'containers' section of your 'web-app' Deployment YAML-
- Choose a probe type appropriate tor your application. In this case, since the startup is complex, use an 'exec' probe.
- Specify the command to execute. This should be a simple command that checks if the application is up and ready to handle requests.
- Set 'initialDelaySecondS and 'periodSeconds' to provide sufficient time for the application to start.
- Configure 'failureThreshold' and 'successThreshold' to define how many tailed or successful probes trigger a pod restart.
2. Define Readiness Probe: - Create a 'readinessProbe' Within the 'containers' section of your 'web-apps Deployment YAML. - Use the same 'exec' probe type as for the liveness probe. - Specify a command that checks it the application is ready to serve traffic. - Set 'initialDelaySeconds' and 'periodSeconds' to control the frequency and delay of the probe. - Configure 'failureThreshold' and 'successThreshold' to handle failed or successful probe results.
3. Deploy the Deployment: - Apply the updated YAML file using 'kubectl apply -f web-app.yamr 4. Verify the Probes: - Observe the pod logs using 'kubectl logs to see when liveness and readiness probes are executed. - Use 'kubectl get pods -I app=web-app' to check the status of pods and see how liveness and readiness probes affect the pod's health and availability. 5. Test the Application: - Send requests to the application to verify that it is healthy and responsive, even during startup. - Liveness Probe: The ' livenessProbe' checks if the application is still healthy and running. If the probe fails repeatedly, the Kubernetes will restart the pod to fix the issue. This ensures that unhealthy pods are removed and replaced with healthy ones. - Readiness Probe: The 'readinessproa' cnecks it the application iS ready to receive traffic. This allows Kubernetes to delay sending traffic to a pod until it is fully initialized and prepared to serve requests. It helps prevent users from encountering errors during startup. By using both liveness and readiness probes, you can ensure your application is healthy and available to users, even during complex startup sequences.,
Explanation:
Solution (Step by Step) :
1. Define Liveness Probe:
- Create a 'livenessProbe' within the 'containers' section of your 'web-app' Deployment YAML-
- Choose a probe type appropriate tor your application. In this case, since the startup is complex, use an 'exec' probe.
- Specify the command to execute. This should be a simple command that checks if the application is up and ready to handle requests.
- Set 'initialDelaySecondS and 'periodSeconds' to provide sufficient time for the application to start.
- Configure 'failureThreshold' and 'successThreshold' to define how many tailed or successful probes trigger a pod restart.
2. Define Readiness Probe: - Create a 'readinessProbe' Within the 'containers' section of your 'web-apps Deployment YAML. - Use the same 'exec' probe type as for the liveness probe. - Specify a command that checks it the application is ready to serve traffic. - Set 'initialDelaySeconds' and 'periodSeconds' to control the frequency and delay of the probe. - Configure 'failureThreshold' and 'successThreshold' to handle failed or successful probe results.
3. Deploy the Deployment: - Apply the updated YAML file using 'kubectl apply -f web-app.yamr 4. Verify the Probes: - Observe the pod logs using 'kubectl logs to see when liveness and readiness probes are executed. - Use 'kubectl get pods -I app=web-app' to check the status of pods and see how liveness and readiness probes affect the pod's health and availability. 5. Test the Application: - Send requests to the application to verify that it is healthy and responsive, even during startup. - Liveness Probe: The ' livenessProbe' checks if the application is still healthy and running. If the probe fails repeatedly, the Kubernetes will restart the pod to fix the issue. This ensures that unhealthy pods are removed and replaced with healthy ones. - Readiness Probe: The 'readinessproa' cnecks it the application iS ready to receive traffic. This allows Kubernetes to delay sending traffic to a pod until it is fully initialized and prepared to serve requests. It helps prevent users from encountering errors during startup. By using both liveness and readiness probes, you can ensure your application is healthy and available to users, even during complex startup sequences.,
You are running a web application with multiple services exposed via Kubernetes Ingress. The application has two distinct environments: 'staging' and 'production' , each with its own set of services and domain names. You need to configure Ingress rules to route traffic to the appropriate services based on the requested hostname and environment. For example, requests to 'staging.example.com' should be directed to the staging environment, while requests to 'example.com' should go to the production environment. Implement this configuration using Ingress rules.
Correct Answer:
See the solution below with Step by Step Explanation.
Explanation:
Solution (Step by Step) :
1. Create a Service for Each Environment:
- Define services for both 'staging' and 'production' environments, ensuring that the services for each environment are named appropriately. For example, 'staging-service' and .
2. Create an Ingress Resource: - Define an Ingress resource that maps the hostnames to the corresponding services.
3. Apply the Configuration: - Apply the service and ingress definitions using 'kubectl apply -f services.yaml' and 'kubectl apply -f ingress.yaml' respectively. 4. Test the Configuration: - Access 'staging.example.com' and 'example.com' in your browser to ensure that the traffic is directed to the correct services and environments. ,
Explanation:
Solution (Step by Step) :
1. Create a Service for Each Environment:
- Define services for both 'staging' and 'production' environments, ensuring that the services for each environment are named appropriately. For example, 'staging-service' and .
2. Create an Ingress Resource: - Define an Ingress resource that maps the hostnames to the corresponding services.
3. Apply the Configuration: - Apply the service and ingress definitions using 'kubectl apply -f services.yaml' and 'kubectl apply -f ingress.yaml' respectively. 4. Test the Configuration: - Access 'staging.example.com' and 'example.com' in your browser to ensure that the traffic is directed to the correct services and environments. ,
You are managing a Kubernetes cluster running a web application. You need to create a CronJob that automatically updates the web application's database every night at 1:00 AM. The database update script iS located in a container image named 'database-update:vl'. The script requires the following environment variables: 'DATABASE_HOST' , 'DATABASE_USER' , and 'DATABASE_PASSWORD'. How would you create the CronJob YAML file to achieve this?
Correct Answer:
See the solution below with Step by Step Explanation.
Explanation:
Solution (Step by Step) :
I). Create the CronJob YAML file:
- Stan by creating a YAML file named 'database-update-cronjob.yaml' with the following structure:
2. Create a Secret for database credentials: - Create a Kubernetes secret named 'database-credentials' to store the sensitive database credentials:] bash kubectl create secret generic database-credentials \ --trom-literal=DATA8ASE HOST=your_database host \ --from-literal=DATA8ASE_USER=your_database_user --from-literal=DATA8ASE_PASSWORD=your_database_password 3. Apply the CronJob: - Apply the CronJ0b YAML file using 'kubectl apply -f database-update-cronjob.yamr. 4. Verify the CronJob: - Check the status of the CronJob using "kubectl get cronjobs" and ensure that it is scheduled successfully. - 'schedule': Defines the schedule for the CronJ0b. In this case, it's set to "0 1 ", which means the job will run at 1:00 AM every day. - 'jobTemplate': Specifies the template for the job that will be created by the CronJob. - 'containers': Defines tne container that will run tne database update script. - 'images: Sets the image for the container, which is 'database-update:vl' - 'command': Defines the command to be executed in the container. - Specifies the environment variables required for the database update script. In this case, the variables are retrieved from a Kubernetes secret named 'database-credentials' to ensure secure storage of sensitive information. - 'backoffLimit: Sets the maximum number of retries if the job fails. ,
Explanation:
Solution (Step by Step) :
I). Create the CronJob YAML file:
- Stan by creating a YAML file named 'database-update-cronjob.yaml' with the following structure:
2. Create a Secret for database credentials: - Create a Kubernetes secret named 'database-credentials' to store the sensitive database credentials:] bash kubectl create secret generic database-credentials \ --trom-literal=DATA8ASE HOST=your_database host \ --from-literal=DATA8ASE_USER=your_database_user --from-literal=DATA8ASE_PASSWORD=your_database_password 3. Apply the CronJob: - Apply the CronJ0b YAML file using 'kubectl apply -f database-update-cronjob.yamr. 4. Verify the CronJob: - Check the status of the CronJob using "kubectl get cronjobs" and ensure that it is scheduled successfully. - 'schedule': Defines the schedule for the CronJ0b. In this case, it's set to "0 1 ", which means the job will run at 1:00 AM every day. - 'jobTemplate': Specifies the template for the job that will be created by the CronJob. - 'containers': Defines tne container that will run tne database update script. - 'images: Sets the image for the container, which is 'database-update:vl' - 'command': Defines the command to be executed in the container. - Specifies the environment variables required for the database update script. In this case, the variables are retrieved from a Kubernetes secret named 'database-credentials' to ensure secure storage of sensitive information. - 'backoffLimit: Sets the maximum number of retries if the job fails. ,
Set Configuration Context:
[student@node-1] $ | kubectl
Config use-context k8s
Task
You have rolled out a new pod to your infrastructure and now you need to allow it to communicate with the web and storage pods but nothing else. Given the running pod kdsn00201 -newpod edit it to use a network policy that will allow it to send and receive traffic only to and from the web and storage pods.
Correct Answer:
See the solution below.
Explanation:
To allow a pod to send and receive traffic only to and from specific pods, you can use network policies in Kubernetes.
First, you will need to create a network policy that defines the allowed traffic. You can create a network policy yaml file with the following rules:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: newpod-network-policy
namespace: default
spec:
podSelector:
matchLabels:
app: kdsn00201-newpod
ingress:
- from:
- podSelector:
matchLabels:
app: web
- podSelector:
matchLabels:
app: storage
This policy will only allow incoming traffic to the pod with the label app=kdsn00201-newpod from pods with the label app=web or app=storage. If you have different labels on your web and storage pods please update the matchLabels accordingly.
Once you have created the network policy, you can apply it to the cluster by running the following command:
kubectl apply -f <network-policy-file>.yaml
This will apply the network policy to the cluster, and the newpod will only be able to send and receive traffic to and from the web and storage pods.
Please note that, NetworkPolicy resource is not available by default, you need to enable the NetworkPolicy feature on your Kubernetes cluster. This feature is enabled by default on some clusters and must be explicitly enabled on others. You can check if NetworkPolicy is available by running the command kubectl api-versions
| grep networking
Also, you need to ensure that the pods that you want to allow traffic to and from are running on the same namespace.
Explanation:
To allow a pod to send and receive traffic only to and from specific pods, you can use network policies in Kubernetes.
First, you will need to create a network policy that defines the allowed traffic. You can create a network policy yaml file with the following rules:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: newpod-network-policy
namespace: default
spec:
podSelector:
matchLabels:
app: kdsn00201-newpod
ingress:
- from:
- podSelector:
matchLabels:
app: web
- podSelector:
matchLabels:
app: storage
This policy will only allow incoming traffic to the pod with the label app=kdsn00201-newpod from pods with the label app=web or app=storage. If you have different labels on your web and storage pods please update the matchLabels accordingly.
Once you have created the network policy, you can apply it to the cluster by running the following command:
kubectl apply -f <network-policy-file>.yaml
This will apply the network policy to the cluster, and the newpod will only be able to send and receive traffic to and from the web and storage pods.
Please note that, NetworkPolicy resource is not available by default, you need to enable the NetworkPolicy feature on your Kubernetes cluster. This feature is enabled by default on some clusters and must be explicitly enabled on others. You can check if NetworkPolicy is available by running the command kubectl api-versions
| grep networking
Also, you need to ensure that the pods that you want to allow traffic to and from are running on the same namespace.
You have a Deployment named 'wordpress-deployment' that runs 3 replicas of a WordPress container. You want to ensure that the deployment is always updated with the latest image available in the 'wordpress/wordpress:latest' Docker Hub repository However, you need to implement a rolling update strategy that allows for a maximum ot two pods to be unavailable during the update process.
Correct Answer:
See the solution below with Step by Step Explanation.
Explanation:
Solution (Step by Step) :
1. IJpdate the Deployment YAML:
- Update the 'replicas to 3-
- Define 'maxunavailable: 2 and 'maxSurge: in the 'strategy.rollingupdate' section.
- Configure a 'strategy-type' to 'RollinglJpdate' to trigger a rolling update when the deployment is updated.
- Add a 'spec-template-spec-imagePullPolicy: Always' to ensure that the new image is pulled even if it exists in the pod's local cache.
2. Create the Deployment: - Apply the updated YAML file using 'kubectl apply -f wordpress-deployment.yamr 3. Verify the Deployment: - Check tne status of the deployment using 'kubectl get deployments wordpress-deployment' to confirm the rollout and updated replica count. 4. Trigger the Automatic Update: - Push a new image to the 'wordpress/wordpress:latest Docker Hub repository. 5. Monitor the Deployment: - Use 'kubectl get pods -I app=wordpress' to monitor the pod updates during the rolling update process. You will observe that two pods are terminated at a time, while two new pods with the updated image are created. 6. Check for Successful Update: - Once the deployment is complete, use 'kubectl describe deployment wordpress-deployment' to see that the 'updatedReplicaS field matches the 'replicas' field, indicating a successful update.
Explanation:
Solution (Step by Step) :
1. IJpdate the Deployment YAML:
- Update the 'replicas to 3-
- Define 'maxunavailable: 2 and 'maxSurge: in the 'strategy.rollingupdate' section.
- Configure a 'strategy-type' to 'RollinglJpdate' to trigger a rolling update when the deployment is updated.
- Add a 'spec-template-spec-imagePullPolicy: Always' to ensure that the new image is pulled even if it exists in the pod's local cache.
2. Create the Deployment: - Apply the updated YAML file using 'kubectl apply -f wordpress-deployment.yamr 3. Verify the Deployment: - Check tne status of the deployment using 'kubectl get deployments wordpress-deployment' to confirm the rollout and updated replica count. 4. Trigger the Automatic Update: - Push a new image to the 'wordpress/wordpress:latest Docker Hub repository. 5. Monitor the Deployment: - Use 'kubectl get pods -I app=wordpress' to monitor the pod updates during the rolling update process. You will observe that two pods are terminated at a time, while two new pods with the updated image are created. 6. Check for Successful Update: - Once the deployment is complete, use 'kubectl describe deployment wordpress-deployment' to see that the 'updatedReplicaS field matches the 'replicas' field, indicating a successful update.
You are tasked With setting up a Kubernetes cluster With a service that exposes a web application, along with a database running as a stateful set The application needs to access the database through an internal IP address, but the database should not be accessible from outside the cluster. What are the steps involved to configure this, and what components should be used to achieve this setup?
Correct Answer:
See the solution below with Step by Step Explanation.
Explanation:
Solution (Step by Step) :
I). Create the Database StatefuISet:
- Define a StatefulSet for your database, ensuring it uses a persistent volume to store its data.
- Specify the database image and any necessary configuration.
- Configure a service of type 'ClusterlP' for the database, accessible only within the cluster
2. Create the Application Deployment: - Create a Deployment for your web application, specifying the application image and required ports. - Add an environment variable to the application container to define tne database connection string, using the database service's ClusterlP.
3. Create the Application Service: - Create a service of type 'LoadBalancers (or 'NodePort' if using a cloud provider) for your web application, exposing it to the outside world. - Ensure the service points to the application deployment.
4. Verify the Setup: - Ensure all resources are created successfully by running 'kubectl get all' - Access the web application through the external IP address exposed by the LoadBalancer service. - Verify that tne application can connect to the database. By following these steps, you've created a secure setup where the database is only accessible from within the cluster, while your web application can communicate With the database and expose its services to the outside world. , You have a Kubernetes cluster with multiple namespaces: 'dev', 'staging', and 'production'. You need to implement a network policy that allows pods in the 'dev' namespace to access services running in the 'staging' namespace. POdS in the 'dev' namespace should only be allowed to connect to ports 80 and 443 on the services in the 'staging' namespace. Implement the network policy configuration. A. See the solution below with Step by Step Explanation. Answer: A
Explanation:
Solution (Step by Step) :
I). Create the Database StatefuISet:
- Define a StatefulSet for your database, ensuring it uses a persistent volume to store its data.
- Specify the database image and any necessary configuration.
- Configure a service of type 'ClusterlP' for the database, accessible only within the cluster
2. Create the Application Deployment: - Create a Deployment for your web application, specifying the application image and required ports. - Add an environment variable to the application container to define tne database connection string, using the database service's ClusterlP.
3. Create the Application Service: - Create a service of type 'LoadBalancers (or 'NodePort' if using a cloud provider) for your web application, exposing it to the outside world. - Ensure the service points to the application deployment.
4. Verify the Setup: - Ensure all resources are created successfully by running 'kubectl get all' - Access the web application through the external IP address exposed by the LoadBalancer service. - Verify that tne application can connect to the database. By following these steps, you've created a secure setup where the database is only accessible from within the cluster, while your web application can communicate With the database and expose its services to the outside world. , You have a Kubernetes cluster with multiple namespaces: 'dev', 'staging', and 'production'. You need to implement a network policy that allows pods in the 'dev' namespace to access services running in the 'staging' namespace. POdS in the 'dev' namespace should only be allowed to connect to ports 80 and 443 on the services in the 'staging' namespace. Implement the network policy configuration. A. See the solution below with Step by Step Explanation. Answer: A
Task:
A pod within the Deployment named buffale-deployment and in namespace gorilla is logging errors.
1) Look at the logs identify errors messages.
Find errors, including User "system:serviceaccount:gorilla:default" cannot list resource "deployment" [...] in the namespace "gorilla"
2) Update the Deployment buffalo-deployment to resolve the errors in the logs of the Pod.
The buffalo-deployment 'S manifest can be found at -/prompt/escargot/buffalo-deployment.yaml See the solution below.
Correct Answer:
Solution:
You need to schedule a job to run every day at 10:00 AM to clean up old container images in your Kubernetes cluster These images are tagged with "app=my-app" and have been created in the last 7 days. How would you implement this using a CronJob?
Correct Answer:
See the solution below with Step by Step Explanation.
Explanation:
Solution (Step by Step) :
1. Create a CronJob YAML file:
2. Apply the Cronjob: bash kubectl apply -f image-cleanup-cronjob.yaml 3. Verify the CronJob: bash kubectl get cronjobs - Schedule: The 'schedule' field defines the cron expression, which triggers the job every day at 10:00 AM. - Job Template: - The 'j0bTemplate' defines the actual job that Will be executed. - Container: - The 'image' field specifies the container image to use. In this case, it's a container with 'kubectr pre-installed_ - The 'command' and Sargs' fields detine the command to run in the container. The command uses 'kubectr to list images With the specified label and then iterates through them, checking their creation date. If an image is older than 7 days, it's deleted. - RestaftPolicy: The 'restartPolicy' is set to 'OnFailure' to ensure the job restarts if it fails. Important Note: - Make sure the container image you choose has the necessary tools (like 'kubectl') to interact with your Kubernetes cluster. - This solution assumes you have the necessary permissions to delete images. If not, you may need to modify the 'kubectl delete image' command to use appropriate RBAC roles. - This solution doesn't consider images used by running pods. You should adjust the script to exclude images that are currently in use. This Cronjob will automatically run every day, cleaning up old container images and maintaining a clean environment in your cluster.,
Explanation:
Solution (Step by Step) :
1. Create a CronJob YAML file:
2. Apply the Cronjob: bash kubectl apply -f image-cleanup-cronjob.yaml 3. Verify the CronJob: bash kubectl get cronjobs - Schedule: The 'schedule' field defines the cron expression, which triggers the job every day at 10:00 AM. - Job Template: - The 'j0bTemplate' defines the actual job that Will be executed. - Container: - The 'image' field specifies the container image to use. In this case, it's a container with 'kubectr pre-installed_ - The 'command' and Sargs' fields detine the command to run in the container. The command uses 'kubectr to list images With the specified label and then iterates through them, checking their creation date. If an image is older than 7 days, it's deleted. - RestaftPolicy: The 'restartPolicy' is set to 'OnFailure' to ensure the job restarts if it fails. Important Note: - Make sure the container image you choose has the necessary tools (like 'kubectl') to interact with your Kubernetes cluster. - This solution assumes you have the necessary permissions to delete images. If not, you may need to modify the 'kubectl delete image' command to use appropriate RBAC roles. - This solution doesn't consider images used by running pods. You should adjust the script to exclude images that are currently in use. This Cronjob will automatically run every day, cleaning up old container images and maintaining a clean environment in your cluster.,
You need to configure a PodSecurityPolicy to restrict tne capabilities of pods running in your Kubernetes cluster. You want to create a policy that allows pods to use only specific capabilities and prevent them from accessing host resources.
Correct Answer:
See the solution below with Step by Step Explanation.
Explanation:
Solution (Step by Step) :
1. Create a P0dSecurityP01icy:
- Create a PodSecurityPolicy YAML configuration file:
2. Apply the PodSecurityPolicy: - Apply the PodSecurityPolicy configuration to your Kubernetes cluster: basn kubectl apply -f restricted-pod-policy-yaml 3. Bind the Policy to ServiceAccount: - Create a RoleBinding or ClusterRoleBinding to bind the PodSecurityPolicy to a specific ServiceAccount or all users. - For example, to bind it to a ServiceAccount:
4. Test tne Policy: - Create a pod using the ServiceAccount that has the PodSecurityPolicy applied. - Verify that tne pod cannot access host resources or use unauthorized capabilities.
Explanation:
Solution (Step by Step) :
1. Create a P0dSecurityP01icy:
- Create a PodSecurityPolicy YAML configuration file:
2. Apply the PodSecurityPolicy: - Apply the PodSecurityPolicy configuration to your Kubernetes cluster: basn kubectl apply -f restricted-pod-policy-yaml 3. Bind the Policy to ServiceAccount: - Create a RoleBinding or ClusterRoleBinding to bind the PodSecurityPolicy to a specific ServiceAccount or all users. - For example, to bind it to a ServiceAccount:
4. Test tne Policy: - Create a pod using the ServiceAccount that has the PodSecurityPolicy applied. - Verify that tne pod cannot access host resources or use unauthorized capabilities.